Troubleshooting Tip: FQDN is not resolving correct IP

After checking the IP address resolved by the command:

diagnose firewall fqdn list-ip

vfid=0 name=anjumaneshiateali.org ver=IPv4 wait_list=0 timer=6 min_ttl=1261 cache_ttl=0 slot=9 num=1 wildcard=0 rcode=2
162.241.123.49 (ttl=1261:0:0)end

The DNS Database can also be viewed with the following command, which shows the resolved IP addresses of all of the FQDN.

diagnose test application dnsproxy 7

Example output:

worker idx: 0
vfid=0, name=self.events.data.microsoft.com, ttl=10:9:1799
         20.189.173.4 (ttl=10)
vfid=0, name=login.microsoftonline.com, ttl=69:52:1783
         20.190.160.5 (ttl=69) 20.190.160.17 (ttl=69) 20.190.160.22 (ttl=69) 20.190.160.64 (ttl=69) 20.190.160.66 (ttl=69)
         20.190.160.67 (ttl=69) 20.190.160.132 (ttl=69) 40.126.32.138 (ttl=69)
vfid=0, name=login.microsoft.com, ttl=59:37:1778
         40.126.31.2 (ttl=87) 40.126.31.130 (ttl=87) 20.190.159.71 (ttl=87) 20.190.159.128 (ttl=87) 40.126.31.3 (ttl=87)
         20.190.159.73 (ttl=87) 20.190.159.64 (ttl=87) 40.126.31.129 (ttl=87)
vfid=1, name=login.windows.net, ttl=10:0:1764

Doing nslookup in the PC for the FQDN anjumaneshiateali.org will not resolve any IP, and the FortiGate is using private DNS.

Solution:

Check with public DNS to determine what IP address the FQDN getting resolved to. Before changing the DNS to public IP, clear the DNS cache on FortiGate by the command:

diagnose test application dnsproxy 1   <----- Test Level 1: clear DNS cache.

If the FQDN is not resolved to the correct IP, the traffic will hit the implicit deny policy.

Note:

Configure the client computer or FortiGate to use the same DNS server if the DNS settings are different. Then, use 'ipconfig /flushdns' to clear the client DNS cache and see whether it fixes the problem.

Related article:

Technical Tip: FortiGate Troubleshooting DNS commands